We had a bit of a flood attack today with the symptom being our Sonicwall
filling its connection cache and being unable to get to internet, slowing
everything down. The maddening thing was we could see the count rise after a
reboot, but could not find anyway to find out where/who the connections were
coming from despite logging everything possible. We tried selective
disconnections to diagnose the source, but found nothing - the count went
down a couple of times and we thought we had it, but it rose to full again
after a short time. I spoke to our isp/ external network provider and all
they could tell us was they were seeing traffic OUT from our firewall from
port 135 on subnets that didn't exist. Eventually we gradually shut
everything down, disconnected everything, got count down to normal, slowly
brought things back on, and it didn't recur.
We had one tool on a pc that showed traffic coming from IP subnets (inside
192.168) that don't exist in out network, showing mac addresses of
ff.ff.ff.ff.ff.ff  or all zeros and other crap that frightened us badly, but
were no help at all.
Anyway, can anybody please suggest any good affordable tools than could help
us to localize the source of this type of thing? We have a Sonicwall which
says it protects against Synflood, but this is exactly what a storm on port
135 (Mblaster virus?) looks like from what I have read tonight.

Thanks,
jp

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *